I know that this is an old post but then again I was looking for something else and crossed this conversation about portfast. You can actually enable this also against ASA firewalls that have sub interface configuration against a trunk port on a switch, specially when you have ASA failover.
... View more

The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the "Configuring Interface Parameters" section), or you can automatically generate MAC addresses (see the "Automatically Assigning MAC Addresses to Context Interfaces" section). In system context configuration mode: enable config t mac-address auto
... View more

I also work at TAC so if you

I also work at TAC so if you want we can webex but this could be related to the device in front of the ASA that is probably doing the NAT.
FYI: You have the PAT NAT statement above the NAT exemption for your VPN related traffic so you need to remove:
nat (inside,outside) source dynamic any interface
and then add it back so it ends on line 2.
Juan Mora
Security Technical Lead
Email: jumora@Cisco.com
Desk:770-702-6300 Ext: 4863
... View more

What do you mean by that question: Do i need to prepare separate machine as a websense server? The question is related to websense requirements I believe that there are several options, you get a server or you buy the appliance. For further details please ask websense vendor.
... View more

Websense is a third party product that works in conjunction with the ASA so you need to purchase it. 2. The ASA has an option with the websense (url-filtering) configuration to block proxy but now in days people use all type of proxies so you might need to monitor your network connections or block any unknown port to go out through the firewall. The ASA URL filtering document, you will find the proxy-block option: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97277-pix-asa-url-filtering.html#task3 Each function has some sort of impact, will it be positive or negative, I've seen a lot of ASA configured with websense without any problems if that is what you are asking.
... View more